Pretexting, also known as blagging in the UK, is a core social engineering tactic used by attackers to manipulate victims into revealing sensitive information, downloading malware, sending money, or granting access to systems and services. A pretext is a false scenario, fabricated to gain the trust of an individual, which often portrays the attacker as someone in authority or a helpful figure. The ultimate malicious aim of pretexting is to extract valuable data, compromise security, or cause harm to the victim/ their organization. Pretexting weakens the victim’s security defenses, meaning a future social engineering attack, for instance a spear phishing attack, is more likely to be successful.
This article uncovers the elaborate tactics employed by malicious actors, shedding light on the various forms pretexting can take, including impersonation, fabricated scenarios, and exploiting trust relationships.
What does a pretext look like?
Understanding what a pretext might look like is crucial in safeguarding against them. Pretexts can manifest through various channels, such as emails, texts, social media direct messages, phone calls, or even in-person interactions.
Typically, pretexts involve two key components: a character assumed by the scam artist, and a believable scenario where this character appears to legitimately require access to specific information. For instance, hackers might pose as familiar “trustworthy” figures - a colleague, a delivery person, or even a government agency. Attackers adeptly craft their scenarios using official looking message formats, logos and jargon, to trick the victim.
In sophisticated pretexting, victims might be coerced into actions which exploit both physical and digital vulnerabilities within an organization. A common guise used by pretexters is posing as employees or HR personnel within the finance department.
When is pretexting most often used?
Historically, tabloid journalists used pretexting tactics to unearth scandalous information about celebrities and politicians.
In more recent years, however, the use of pretexting has shifted towards more malicious monetary goals. Pretexting has become a favored tool in arsenals of scam artists who aim to infiltrate financial accounts and obtain sensitive private data for their own illicit gains.
Now, hackers are able to circumvent security measures such as Domain-based Message Authentication Reporting and Conformance (DMARC), which is designed to prevent email address forgery, allowing them to more easily conduct pretexting scams.
What are some real world examples of pretexting scams?
In order to understand the severity of pretexting, examining real-world examples is very useful.
- 2006, Hewlett Packard
When Hewlett Packard suspected an information leak in 2006, it employed an outside firm to investigate. This firm used pretexting techniques to spy on the HP director’s phone records and impersonated board members. The scandal resulted in the resignation of Patricia Dunn, the chairwoman, and the filing of criminal charges.
- 2015, Ubiquiti Networks
In 2015, Ubiquiti Networks was victim to an attack where employees received messages from pretexters, posing as senior executives, who then orchestrated a fraudulent transfer exceeding $40 million.
- 2017, MacEwan University
In 2017, MacEwan University was defrauded of almost $9 million by a scammer assuming the identity of a contractor. This attacker manipulated university staff into altering payment information through seemingly legitimate emails.
How to defend against a pretexting attack
- Exercise Caution: Verify the identity of individuals you communicate with. If unsure, check credentials via publicly available contact information, such as calling a known company number or email address from a company’s website. Thoroughly examine any unusual requests or situations you receive, and always insist on proper identification before sharing sensitive information or agreeing to requests.
- Be Aware: Stay informed about pretexting tactics and scams.
- Educate Staff: Empower your employees through comprehensive training about pretexts and other scamming methods, so they are more equipped to recognize potential threats. This cultivates a culture of cybersecurity awareness which will help protect your organization.
- Educate Users: As well as staff training, educate users of your website/ organization on email spoofing methods. The key to pretexters' success is attacking victims who are unable to recognize such scams. Encourage scrutiny of email addresses for signs of pretexting. Establish and reinforce protocols for financial transactions, emphasizing the importance of validating requests in person or via trusted phone contacts to mitigate pretexting risks.
- AI-Based Email Analysis: Utilize AI to analyze user behaviors and detect indications of pretexting. Using Natural Language Processing (NLP) to scrutinize language patterns, AI can identify anomalies in email traffic, such as display name spoofing and cousin domains.
- Multi-factor Authentication (MFA): In the digital age, robust authentication measures are indispensable. Recommending the implementation of multi-factor authentication adds an extra layer of security, significantly reducing the vulnerability to pretexting attacks.
What tactics do pretexting scammers use?
- Building Trust:
- Scammers work to gain victims’ trust by portraying their requests as legitimate and necessary.
- Research and Information Gathering:
- Detailed knowledge about targets allows scammers to coerce victims into giving up valuable information. Scammers gather information from publicly available sources, and may also access personal information on the dark web.
- Spoofing and Fake Identities:
- Faking phone numbers, email addresses, or assuming fake identities, even impersonating trusted figures, all helps pretexting scammers to manipulate their victims.
- In-Person Interaction:
- In certain cases, scammers engage in face-to-face interactions with their victims.
What specific techniques do pretexting scammers use?
- Impersonation: Mimicking trusted individuals or organizations to gain credibility and deceive victims.
- Tailgating: Sneaking into a secure area by following an authorized person without their knowledge.
- Piggybacking: Gaining access by using the credentials of an authorized individual who allows them entry (usually without knowing they are a scammer, but sometimes working together).
- Baiting: Luring victims into traps, often using authentic-looking elements like recognizable logos or USB drives loaded with malware placed in commonly visited locations, such as a public bathroom.
- Phishing: Pretending to be a trustworthy entity, commonly via emails or text messages, to steal sensitive data like passwords or financial information. While pretexting and phishing are two separate things, many phishing attempts are built around pretexting scenarios.
- Vishing (Voice Phishing): Coercing victims over the phone to reveal private information or provide access to their devices.
- Smishing (SMS Phishing): Similar to vishing and phishing but executed through SMS or text messages.
- Scareware: Overwhelming victims with false threats, leading them to install malicious software under the guise of security measures.
Is pretexting illegal?
In the United States, pretexting is mostly illegal. Under the Gramm-Leach-Billey Act of 1999 (GLBA), obtaining or attempting to obtain customer information from financial institutions through false pretenses or deception is strictly prohibited. GLBA-regulated entities must also implement measures to educate their staff about recognizing and thwarting pretexting efforts.
However, the legal framework regarding pretexting for non-financial information is less clear. For instance, the Hewlett-Packard scandal highlighted uncertainties about the legality of using pretexting to access phone records, not financial data. Subsequently, Congress responded by enacting the Telephone Records and Privacy Protection act of 2006, extending protection to telecom company records. Future legal cases will necessitate prosecutors to navigate existing laws based on specific scenarios, posing challenges in determining the legality and filing appropriate charges.
Understanding pretexting is pivotal to fortifying your organization's security posture. By delving into the intricacies of this deceptive technique, implementing robust security measures, and fostering a culture of awareness, you can effectively mitigate the risks posed by pretexting.